Ronald.Ploeger | 31 Oct 15:38 2014
Picon

Remove XML-element from rule target

Hi,

 

my request body contains an XML like this:

 

<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns5605="http://tempuri.org">

   <SOAP-ENV:Body>

      <WsEditionDetail>

         <isbn>978-3-442-35029-2</isbn>

      </WsEditionDetail>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

Now I would like to remove the text of the isbn-element from being inspected by rule 981173.

 

Alas, neither of the two approaches below work for me:

 

ctl:ruleRemoveTargetById=981173;XML://isbn

ctl:ruleRemoveTargetById=981173;XML://isbn/text()

 

When I use

 

ctl:ruleRemoveTargetById=981173;XML

 

it works but this disables the rule for the complete XML document and not just for the isbn-element.

 

Can anyone point me in the right direction?

 

Thanks,

Ronald

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhishek Bajpai | 30 Oct 21:56 2014
Picon

mod security not scanning the file upload document


I am testing the mod-security with apache httpd. I am uploading a normal
file which does not not have any virus in it and the calm-av perl script
fails with following error.

--d75f485b-H--
Message: Exec: Execution failed while reading
output: /root/Downloads/modsecurity-crs-2.2.9/util/av-scanning/runav.pl
(End of file found)
Message: Rule processing failed.
Apache-Handler: proxy-server
Stopwatch: 1414695761735511 20377 (- - -)
Stopwatch2: 1414695761735511 20377; combined=6577, p1=16, p2=6553, p3=1,
p4=0, p5=7, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/).
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2
Engine-Mode: "ENABLED"

--d75f485b-J--
1,26,"appname","<Unknown ContentType>"
Total,26

Is there anything wrong i am doing ?

Regards
abhishek

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Bruno de Almeida | 30 Oct 15:56 2014

Does SecPcreMatchLimit work?

Hi All,

I'm upgrading modsec and the owaps_crs ruls on some of our servers and I ran into a bit of an issue with some of the owasp rules, specifically the XSS ones that inspect Cookies.

We have some rather large Cookie headers on our setup and I noticed that after compiling mod_sec with the following options, I was getting a LOT of 'Execution error - PCRE limits exceeded' errors.

    --host=x86_64-redhat-linux-gnu \
    --build=x86_64-redhat-linux-gnu \
    --target=x86_64-redhat-linux \
    --with-apxs=%{_apacheroot}/bin/apxs \
    --with-apr=%{_apacheroot}/bin/apr-1-config \
    --with-apu=%{_apacheroot}/bin/apu-1-config \
    --with-pcre=%{include_pcre} \
    --with-libxml=%{include_libxml2} \
    --enable-pcre-jit \
    --enable-pcre-study \
    --enable-lua-cache \

I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to very high numbers and it didn't make any difference.

I also found that 3985 bytes was the maximum Cookie header size mod_sec would accept. 1 byte more and it would throw the PCRE limits exceeded error.

I then re-compiled mod_sec and added these options:

    --enable-pcre-match-limit=200000 \
    --enable-pcre-match-limit-recursion=200000

And the problem was gone, but I then tried to decrease the limits to very low numbers and I still wouldn't get the errors, which kind of tells me that changing these values after compilation doesn't work.

These are the versions I'm running:

[Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled version="2.9.1"


Thanks,



--
- Bruno
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini | 28 Oct 06:42 2014
Picon

IIS: Logformat similar to Apache's Error-Log?

Hi there,

The Apache Error-Log is the center of my work with ModSecurity. Now
I am working with my first customer who runs ModSec on IIS. So far, I
have not been able to go on site. We are in email/phone support
mode. And we have not been able to find anything resembling the
Apache Error-Log with a format as follows:

[Tue Oct 28 22:01:07 2014] [error] [client xx.xx.xx.xx] ModSecurity:
Warning. Pattern match
"(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100
}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|
(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacre
at|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:viewform.
[file
"/etc/apache2/modsecurity-core-rules/modsecurity_crs_40_generic_attac
ks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data
"union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
[hostname "www.example.com"] [uri "/index.php"] [unique_id
"TKuEA8CosiYAAF28c7IAAAAF"]

The Audit-Log is there, and it can be grepped / transformed to give
the rule hits in a similar format, but the information in those events 
is not complete. The hostname, uri, unique_id etc are all missing for 
example and need to be extracted out of the context.
Before I write a big auditlog->errorlog tranformer, is there a
way to activate an apache error-log style thing in IIS? And if so, how?

(And while we are at it also the access-log?)

Ahoj,

Christian Folini

--

-- 
The art of victory is learned in defeat.
-- Simón Bolívar

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Sean Ezell | 27 Oct 20:18 2014

CRS version

If my server administrator is running Mod Security version 2.5.2, which version of the rule set should we be running?

 

Sean Ezell ‘05

sezell <at> linfield.edu x2720

Web Programmer

Linfield College

ITS WILL NEVER ASK YOU FOR YOUR PASSWORD.

PLEASE DON’T SHARE YOURS WITH ANYONE!

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhishek Bajpai | 27 Oct 18:31 2014
Picon

http post not getting scanned by mod-security2 with apache httpd and clamav


Hi ,

I am have configured mod-security2 module with apache httpd and have clamav
running.
I can see the mod security module loaded when i start the httpd.
However when i upload any document using the file upload option in my
application i do not see any log ,neither do i see it getting scanned.
Below is my mod security configuration :

SecRuleEngine On
SecRequestBodyAccess On
SecUploadDir /var/cache/upload
SecRule FILES_TMPNAMES
" <at> inspectFile /etc/apache2/modsecurity/util/runav.pl"
"id:159,phase:2,t:none,log,deny,msg:'Malicious Code Detected, access
denied'"
SecDebugLog /usr/local/apache/modsec_debug.log
SecAuditLog /usr/local/apache/modsec_audit.log

My requirement is to be able to scan the file upload payload coming along
with http request.

Thanks ,
abhishek

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Yogesh patel | 27 Oct 13:04 2014
Picon

Modsecurity Error: xml parsing error

HI

When i have content type as text/xml and dont have proper xml then it throws xml parsing error.
How can i bypass some kind of request for xml parsing?

is it proper solution?

SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "chain,id:'200000',phase:1,t:none,t:lowercase,pass,nolog"
    SecRule  REQUEST_FILENAME  " <at> contains /Test/" "ctl:requestBodyProcessor=XML"

Description: It will not parse xml for instance "/Test/"? Is this solution appropriate or any other good alternative?

--


Regards,

Yogesh Patel


------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
René Bauer | 24 Oct 11:19 2014
Picon

Problem with SLR rule 2200001

Hello,

starting today we have a problem with the SLR rule 2200001 from modsecurity_slr_50_malware_detection.conf. At the beginning of the file malware_payloads.txt which is used by that rule there is a line "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">". This line matches with the standard Apache mod_rewrite RewriteRule response and blocks all redirect traffic.
Can anybody tell me why this line and lines like "<h1>Service Temporarily Unavailable</h1>", "<p>The server is temporarily unable to service your", and "<title>503 Service Temporarily Unavailable</title>" are considered malicious code? 

Ciao,
Rene
--

Mit freundlichen Grüßen
René Bauer

on-collect solutions AG
Standorte:
Karlstraße 3 in 89073 Ulm
Marktplatz 20 in 89257 Illertissen

Telefon: +49 (0) 73 03 – 95 28 94 - 550
Fax: +49 (0) 73 03 – 95 28 94 - 511
E-Mail: r.bauer <at> on-collect.de
Web: www.on-collect.de

Vorstand Dr. Joachim Schmid
Vorsitzender des Aufsichtsrates Dr. Georg Nüßlein
Amtsgericht Ulm HRB 730793  -  Steuernummer: DE246631672

_____________________________________________________________
Diese E-Mail enthält vertrauliche und rechtlich geschützte Informationen und gilt ohne Unterschrift. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese Nachricht. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_____________________________________________________________
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system.
Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.
_____________________________________________________________

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tom Chiverton | 23 Oct 14:05 2014

Can't seem to prevent matches being listed in Apache error_log

Hi,

I have a production machine where we're using mod_security in front of largely static applications.

We don't need matched rules to be logged to the Apache error_log, but I can't seem to turn this off.

This is a standard install on Ubuntu, with /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf set to
SecDefaultAction deny,nolog,auditlog

I've tried both
SecDebugLogLevel 0
and
LogLevel security2_module:crit
but I'm still getting output in the error_log.

Am I going about this in the wrong way ?

--
extravision Signature
Tom Chiverton | Lead Developer | Extravision
T: 0161 817 2922 | W: www.extravision.com | T: twitter.com/extravision | E: tchiverton <at> extravision.com
.
.
 A fresh approach to email marketing 
.
Registered in the UK at : 107 Timber Wharf, 33 Worsley Street, Manchester, M15 4LD. Registration number: 05017214 VAT: GB 824 5386 19

Disclaimer: This e-mail is intended solely for the person to whom it is addressed and may contain confidential or privileged information. If you have received it in error please notify us immediately and destroy this e-mail and any attachments. In addition, you must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Any views or opinions presented in this e-mail are solely of the author and do not necessarily represent those of Extravision Ltd. E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 22 Oct 23:57 2014

Welcoming Chaim Sanders to the SpiderLabs Research Team

I wanted to send a note out to the ModSecurity community to introduce Chaim Sanders - https://www.linkedin.com/pub/chaim-sanders/13/237/a7a.  He is joining the SpiderLabs Research team where he will be focusing on supporting the ModSecurity project and community.  This means he will help out answering emails from the community on these mail-lists, help Felipe Costa with development on our Github repos, creating new signatures for OWASP CRS/Commercial Rules and also helping to delivery professional services from Trustwave for our commercial customers.  Needless to say, we have a lot of work for Chaim and we are thrilled to have him on the team.  His background in web application pentration testing gives him a great "Know Your Enemy" perspective to bring to web application defenses like ModSecurity.

Please join me in welcoming Chaim.

Thanks.

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Brian Clark | 21 Oct 04:34 2014

Troubleshooting ModSecurity IIS Module Conflicts

I found the source of my ModSecurity/AJAX/CORS issue‹it is some kind of
conflict between IIS and a custom IIS module I have running in my web app.

Any advice on troubleshooting issues between ModSecurity and custom IIS
Modules?

Thanks,
Brian

Restaurant.com - Best Deal. Every Meal.

Restaurant.com is the trusted and valued source connecting diners, restaurants, businesses and
communities since 1999. The company offers savings at thousands of restaurants nationwide with more
than 30,000 gift certificate options. The Restaurant.com Independent Consultant program offers
thousands of self-employment opportunities to individuals that want to earn money while helping
Restaurant.com to expand to more restaurants, businesses and communities nationwide. To date,
Restaurant.com customers have saved more than $1 billion through the gift certificate program filling
more than 3.5 million tables annually. Restaurant.com is a pioneer in the restaurant deal space and is
headquartered in Arlington Heights, IL.

Smartphone and iPad users: download our app -
iPhone<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8>,
iPad<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8> and Android<https://play.google.com/store/apps/details?id=com.restaurant.mobile>

Learn more about Restaurant.com https://sales.restaurant.com/Overview
Find dining deals near you http://www.restaurant.com
Make money with Restaurant.com https://sales.restaurant.com/MakeMoney

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane